fix: use raw body for webhook signature verification in lith
Express re-serializes parsed JSON via JSON.stringify(), which can alter
whitespace/key ordering. Stripe's constructEvent() then fails because
the signature was computed against the original body. Use req.rawBody
(captured by captureRawBody middleware) in toEvent() to preserve the
exact bytes the client sent.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>